Haiku/haiku
Haiku/haiku
1
0
Fork 0
mirror of https://review.haiku-os.org/haiku synced 2024-11-23 07:18:40 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

boot/efi: Optionally sign our EFI bootloader

Browse Source 
* The private keys are in possession of Haiku, Inc.

Change-Id: I3b5b004e1dce0102f8a65f6d682f7e428845efe8
Reviewed-on: https://review.haiku-os.org/c/haiku/+/4936
Reviewed-by: Alex von Gluck IV <kallisti5@unixzen.com>
Reviewed-by: waddlesplash <waddlesplash@gmail.com>
This commit is contained in:
Alexander von Gluck IV 2022-02-06 16:24:02 -06:00 committed by waddlesplash
parent 9a7906eadb
commit 31f27c4d39
7 changed files with 121 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
build/jam/ImageRules
View File

@ -1701,6 +1701,9 @@ rule BuildEfiSystemPartition image : efiLoader
Exit "Error: Unknown EFI architecture!" ; Exit "Error: Unknown EFI architecture!" ;
} }
# public efi keys for efi bios trust
EFIKEYS on $(image) = [ FDirName $(HAIKU_TOP) data boot efi keys ] ;
BuildEfiSystemPartition1 $(image) : $(fatshell) $(macVolumeIcon) $(efiLoader) ; BuildEfiSystemPartition1 $(image) : $(fatshell) $(macVolumeIcon) $(efiLoader) ;
} }
@ -1720,7 +1723,15 @@ actions BuildEfiSystemPartition1
${FATFS} --initialize "$(<)" 'Haiku ESP' ${FATFS} --initialize "$(<)" 'Haiku ESP'
echo "mkdir myfs/EFI" | ${FATFS} $(<) echo "mkdir myfs/EFI" | ${FATFS} $(<)
echo "mkdir myfs/KEYS" | ${FATFS} $(<)
echo "mkdir myfs/EFI/BOOT" | ${FATFS} $(<) echo "mkdir myfs/EFI/BOOT" | ${FATFS} $(<)
echo "cp :${LOADER} myfs/EFI/BOOT/$(EFINAME)" | ${FATFS} $(<) echo "cp :${LOADER} myfs/EFI/BOOT/$(EFINAME)" | ${FATFS} $(<)
echo "cp :${EFIICON} myfs/.VolumeIcon.icns" | ${FATFS} $(<) echo "cp :${EFIICON} myfs/.VolumeIcon.icns" | ${FATFS} $(<)
# Copy UEFI signing keys and a README for end users
echo "cp :$(EFIKEYS)/README.md myfs/KEYS/README.md" | ${FATFS} $(<)
for i in auth cer crt; do
echo "cp :$(EFIKEYS)/DB.$i myfs/KEYS/DB.$i" | ${FATFS} $(<)
done
} }

7
configure vendored
View File

@ -93,6 +93,7 @@ options:
specify the path to a GDB source dir, to build specify the path to a GDB source dir, to build
GDB for each arch we build the cross-tools for. GDB for each arch we build the cross-tools for.
--use-stack-protector Build with stack protection enabled --use-stack-protector Build with stack protection enabled
--efi-signing-key Private keyfile to sign any EFI bootloaders
environment variables: environment variables:
CC The host compiler. Defaults to "gcc". CC The host compiler. Defaults to "gcc".
@ -804,6 +805,11 @@ while [ $# -gt 0 ] ; do
--no-xattr) HAIKU_HOST_USE_XATTR_REF=0; shift 1;; --no-xattr) HAIKU_HOST_USE_XATTR_REF=0; shift 1;;
--with-gdb) gdbSources=$2; shift 2;; --with-gdb) gdbSources=$2; shift 2;;
--use-stack-protector) HAIKU_USE_STACK_PROTECTOR=1; shift 1;; --use-stack-protector) HAIKU_USE_STACK_PROTECTOR=1; shift 1;;
--efi-signing-key)
assertparam "$1" $#
HAIKU_EFI_SIGNING_KEY="$2"
shift 2
;;
*) echo Invalid argument: \`$1\'; exit 1;; *) echo Invalid argument: \`$1\'; exit 1;;
esac esac
done done
@ -1112,6 +1118,7 @@ HAIKU_PORTS ?= ${HAIKU_PORTS} ;
HAIKU_PORTS_CROSS ?= ${HAIKU_PORTS_CROSS} ; HAIKU_PORTS_CROSS ?= ${HAIKU_PORTS_CROSS} ;
HAIKU_IS_BOOTSTRAP ?= ${HAIKU_IS_BOOTSTRAP} ; HAIKU_IS_BOOTSTRAP ?= ${HAIKU_IS_BOOTSTRAP} ;
HAIKU_BOOT_EFI_PRIVATE_KEYFILE ?= ${HAIKU_EFI_SIGNING_KEY} ;
EOF EOF
for targetArch in $HAIKU_PACKAGING_ARCHS; do for targetArch in $HAIKU_PACKAGING_ARCHS; do

BIN
data/boot/efi/keys/DB.auth Normal file
View File

Binary file not shown.

BIN
data/boot/efi/keys/DB.cer Normal file
View File

Binary file not shown.

19
data/boot/efi/keys/DB.crt Normal file
View File

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDEzCCAfugAwIBAgIUX+q+28/np8o/Vg64GrIN8CEcEA8wDQYJKoZIhvcNAQEL
BQAwGTEXMBUGA1UEAwwOSGFpa3UsIEluYy4gREIwHhcNMjIwMjA2MTk1MTQzWhcN
NDIwMjA2MTk1MTQzWjAZMRcwFQYDVQQDDA5IYWlrdSwgSW5jLiBEQjCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKn6b6J60zU5L+UPXhHbJ2epyoQ+YKAo
6L7gmk79nBFOqidX10wfBFijZxdPvBeGHlMpmukjdgGNbOHKqYrYLsJHhrd/IZ+T
TMSa+ZD2d+2dSgn+jYQji3mOVnrb2xemRo9+IDiC37cEVAmOO1t5E0NmyM2rm2p0
HeShbLbcg+78mpgs3mDTzWbq4p7VRVdxjDI1i7108aaf2dVpDbh3Q0ipO9YEoTQq
3cXUeQ4IiR7FFzPlEZHSViSi3Fieg4GTHjkhZG3HLHYGEuR/B8lA9+S4uvYCiV8n
t/NVC6osnUBCKyl+00gLLohQGkNGDZXGZNwcIH9tls/AHysoNPrpI98CAwEAAaNT
MFEwHQYDVR0OBBYEFNganI/FIKluRVA+9LbrNDAZSjJBMB8GA1UdIwQYMBaAFNga
nI/FIKluRVA+9LbrNDAZSjJBMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBAAGz7qdUBHtk30JlB3M+z6Z78tIfz288SV+eekO+rl+8Fo+M+qSB6OrO
j1VcUSEQgbLFqoJz9haoEyUxXP8g/XWNx5n9gbPWZQHwva1AN9PHw4modF1XDCAV
N1F3pQ1atz3K+fOZWU6peDyoQEKI2szAtNycoV7x5SXFPybyyC4yPCW3ijou9sxW
D8jPECU+6RTh93pFptL+/KPFcLOi5ihCyMApqjNSvOox6m0LFUxCSpBJIk0QBOPQ
PHDAiSkkQaOHfA/5AnU/iyedsBYBlnY40drY4DGEntRG5yiMhvRjfmFfEufujCiZ
OVrndpb+VY6W5EzvGusu3HeSaMywj8w=
-----END CERTIFICATE-----

37
data/boot/efi/keys/README.md Normal file
View File

@ -0,0 +1,37 @@
# Haiku UEFI Keys
The EFI keys in this directory can be used to boot Haiku in UEFI Secure Mode.
The Haiku, Inc. key must be appended to your EFI BIOS trusted keychain to function.
> This is only needed when you're booting in EFI Secure Boot mode! It's probably
> easier to disable EFI Secure Boot in most cases.
## Installing UEFI Keys
To trust Haiku's EFI bootloader, you'll need to append our DB key to your BIOS's
DB keychain.
> Ensure the Haiku installation media is inserted / plugged into your computer.
Real world examples:
* Dell XPS 13 Laptop (Dell BIOS)
* Boot laptop, press F2 to enter BIOS
* Settings -> Secure Boot -> Secure Boot Enable
* Verify Secure Boot is enabled, otherwise this does nothing.
* Settings -> Secure Boot -> Expert Key Management
* "Enable Custom Mode" checked
* Press "Reset All Keys"
* Choose db, then press "Append from File"
* Navigate to the Haiku USB installation media
* EFI -> KEYS -> DB.auth
* Framework Laptop (InsydeH20 BIOS)
* Boot laptop, press F2 to enter BIOS
* Security -> Secure Boot
* Enforce Secure Boot enabled
* DB Options -> Enroll Signature -> PKCS7
* Haiku ESP -> KEYS -> DB.cer
* (you can leave the "Owner_GUID" blank)
* Enroll DB.cer -> Yes
* F10, Save and Exit

48
src/system/boot/Jamfile
View File

@ -141,6 +141,39 @@ actions BuildEFILoader
fi fi
} }
#
# Sign our EFI Bootloader if a key has been provided
# SignEFILoader <output> : <input> : <public_cert_file> : <private_key_file> ;
#
rule SignEFILoader
{
local signedEFILoader = $(1) ;
local unsignedEFILoader = $(2) ;
local publicCert = $(3) ;
local privateKey = $(4) ;
Depends $(signedEFILoader) : $(unsignedEFILoader) ;
DB_CERT_FILE on $(signedEFILoader) = $(publicCert) ;
DB_KEY_FILE on $(signedEFILoader) = $(privateKey) ;
}
actions SignEFILoader
{
$(RM) -f $(1)
echo "Signing EFI bootloader..."
sbsign --key $(DB_KEY_FILE) --cert $(DB_CERT_FILE) --output $(1) $(2)
}
#
# Verify our EFI bootloader has been properly signed
# VerifyEFILoader <loader> : <cert>
#
actions VerifyEFILoader
{
sbverify --cert $(2) $(1)
}
# #
# U-boot image creation # U-boot image creation
@ -352,7 +385,20 @@ for platform in [ MultiBootSubDirSetup ] {
switch $(TARGET_BOOT_PLATFORM) { switch $(TARGET_BOOT_PLATFORM) {
case efi : case efi :
BuildEFILoader haiku_loader.$(TARGET_BOOT_PLATFORM) : boot_loader_$(TARGET_BOOT_PLATFORM) ; if $(HAIKU_BOOT_$(platform:G=:U)_PRIVATE_KEYFILE) {
BuildEFILoader haiku_loader.$(TARGET_BOOT_PLATFORM).unsigned
: boot_loader_$(TARGET_BOOT_PLATFORM) ;
SignEFILoader haiku_loader.$(TARGET_BOOT_PLATFORM)
: haiku_loader.$(TARGET_BOOT_PLATFORM).unsigned
: [ FDirName $(HAIKU_TOP) data boot efi keys DB.crt ]
: $(HAIKU_BOOT_$(platform:G=:U)_PRIVATE_KEYFILE) ;
VerifyEFILoader haiku_loader.$(TARGET_BOOT_PLATFORM)
: [ FDirName $(HAIKU_TOP) data boot efi keys DB.crt ] ;
} else {
BuildEFILoader haiku_loader.$(TARGET_BOOT_PLATFORM)
: boot_loader_$(TARGET_BOOT_PLATFORM) ;
}
if $(TARGET_ARCH) = arm || $(TARGET_ARCH) = riscv64 { if $(TARGET_ARCH) = arm || $(TARGET_ARCH) = riscv64 {
# These EFI platforms need u-boot to get them going # These EFI platforms need u-boot to get them going
BuildUImageScript boot.scr BuildUImageScript boot.scr